Author: ukfraud

Fraud and risk specialist for risk & fraud prevention for all business owners covering banks, credit cards, master cards, insurance companies & all other business in Europe and World wide at the par of National Fraud Authority(NFA) and Insurance Fraud Bureau(IFB).

‘Industry experts’ and observers in the US marketplace recently reported “EMV Return on Investment unlikely for Retailers”. But is this true? And either way, does it matter, are there bigger issues at stake? To understand the issues, we must dig a little deeper.

There are probably THREE main issues to consider here:

1. Where is the USA compared to the rest of the world?
2. Who should be driving and leading the change in the US?
3. What are the costs / savings and overall business case?

REST OF THE WORLD

In spite of EMV being ‘invented’ by US head-quartered companies, the US market has consistently deferred adoption for a variety of reasons that are shown later; leaving the rest of the world to adopt EMV as the route for all card present transactions. There are of course ‘local adaptations’ for CVM requirements, offline authorisation, routing logic and other minor customisation of EMV standards, but generally, everyone has simply implemented the programme over the last 15 years and built upon the programme and the standards over time with increasing security and standards adopted as they have been required.

Has it worked and does it matter that the US is behind?

It is not an easy journey, but EMV has delivered on all expectations outside the USA, with significantly reduced card present fraud – both counterfeit and lost/stolen. EMV cannot deliver ‘world peace’, nor was it expected to do so, nor was it ever expected to fix or prevent the never-ending data breaches, nor protect against traditional CNP fraud events. It does however, enable a largely ‘risk-free’ payment platform for other initiatives such as secure NFC contactless; improved merchant and customer experiences, faster point-of-sale timings (even in a market of simply swipe and go), reduced occurrence of payment disputes; and moving the smaller remaining fraud liability from the participating merchant to the card issuer.

Furthermore, data compromises at places like Target, notably take place in the USA; largely because cards that are compromised utilise the old-fashioned ‘mag-stripe only’ technology. It has not been widely reported either, that EMV cards are largely useless to fraudsters after such compromises – except for use in the USA – where, even there, they would not be possible to use were there not still a magnetic stripe-only environment.

The rest of the world is looking forward to the long-awaited and delayed ‘transfer of liability’ that kicked-in on 1st October 2015 – when the so-called ‘liability shift’ took place. This means that from this date, card issuers around the world will start to be able to pass fraud losses (typically counterfeit-only, but some lost/stolen) on to the merchant acquirers in the USA when their EMV Chip payment card data is used in non-EMV enabled environments, and in-turn pass them onto the retailer where EMV is not deployed. The expected aggressive passing-on of these fraud losses will however, help to make a stronger business-case for retailers to adopt EMV and protect themselves.

The rest of the world has mostly moved away from the antiquated 60 year old insecure technology over the last 10 to 15 years – over to a now albeit 20+ year old technology, but which is being continually updated. It will continue to be updated and evolved, but we do need to get rid of the 60 year old platforms globally before things can really start to accelerate-away with new ideas and technology.

WHO SHOULD BE DRIVING THIS?

“Everyone” is the short answer – but in the US there are a few tough obstacles. The payments environment is embedded in the old technologies, legacy systems where the ‘lowest common denominators’ in the USA are fears of losing routing and processing revenues, control and profitability when the market adopts EMV technology; and issuers who protect their world-leading high interchange rates (as well as high fraud rates) that come with the insecure networks. The costs for a retailer associated with processing an EMV transaction – especially an EMV with a CVM such as PIN should fall – as the till throughput can be speeded up and the disputes and ‘validation/referral costs’ almost removed. Retailers are naturally confused, and they are trying to find other solutions, and the wider industry does not have a single strategic planning function or voice.

In many markets the retailer and retail communities demand:

1. Lower processing costs. To lower costs, some retailers champion interchange rate cuts, and greater transparency, and still others move their processing (even contrary to card scheme rules) to other continents!
2. Faster customer service at the till – i.e. EMV solutions should require customers to retain control of the card (at the ‘customer side’ of the till) – and with a PIN entry to speed-up and secure the customer journey and processing efficiencies, to focus retailer staff on service rather than upon security checks for the banks.
3. Lower administration/dispute costs: associated with no need to keep or retrieve paper versions of receipts with ‘signatures on them’, where vouchers become ‘electronic’.
4. Help from card schemes, acquirers, merchant processors, vendors, solution providers, etc., to lift or remove barriers to implementing EMV: e.g. ensure readiness and availability of solutions at reasonable prices, and assist with the deployment costs.

COSTS / SAVINGS / BUSINESS CASE

The business case for EMV adoption and its implementation was and still is not an easy one. It is difficult to justify an initial upfront cost (and ongoing costs) of deploying an EMV infrastructure with all its ‘back-office’ functions – for both big and small merchants. But the industry has calculated that the cost of fraud is greater than the cost of EMV migration, so benefits to the financial services industry are clear.

To reduce pain in implementing EMV in almost all markets, the planning and coordination has been carried out over an extended period of time. This made sure that:

1. Complex solutions were made easier, and that this was not seen as a ‘quick-fix’,
2. Costs were spread over a multiple years,
3. Advantage could be taken of constantly improving and new vendor solutions,
4. Early attacks on certain fraud types could be seen as ‘quick wins’,
5. All interested parties could engage and collaborate,
6. New payment solutions could evolve that took advantage of the EMV ‘railroad’,
7. Legislation and regulatory thinking on fraud and consumer rights could be initiated and honed,
8. The entire biosphere of payments could be moved forward 50+ years – and support modern security, authentication, and then new/alternative payment methods.

The challenge now is to transfer the value of fraud savings and cost savings that are today spread across the industry, over to the retailers. At the same time, the retailer should be able to quantify efficiencies, reduced costs and better customer service, increased sales and greater profitability. ‘Someone, somewhere’ needs to ignore ‘market protectionist’ thinking that still exists in some of the key stakeholder find coal service providers and management of the card schemes and develop a true industry strategy that will work – with a more compelling business case. Equally, people need to stop finding a “1001 excuses” for not adopting EMV, especially when most of them are plain wrong or irrelevant. The US can after all, negotiate hard to take advantage of the fact that all suppliers in this space have ‘done it all many times before’.
Synopsis

So is it a colossal waste of time to implement EMV? The answer is a profound and clear ‘No’.

Major stakeholders must now ‘get with the programme’; and the many individual participants that are not thinking about the wider industry position – need to ‘move forward too’ in their thinking.

Card scheme rhetoric and self-preservation, issuer, acquirer processor and vendor self-motivations need to be re-channelled towards the collective good, and for the benefit of the payments industry in the USA; and start to support evolving the US market to catch-up with, and if possible, to leap ahead of the rest of the world.

The first step though must be to reconfirm the issues and the longer-term vision, agree one set of facts, fully-loaded business case justifications and develop a collective and realistic market plan.

Author Kevin Smith is a senior payment services & risk management consultant who provide his consultancy services to card issuers, banks, corporates and business entities all over the world. At present he is director of RiskSkill, UKFraud and a permanent member of AIRFA.

In a strange sequence of events, we read that Paypal has been unsuccessful in securing a payments processing license in Turkey. This means that it will not be able to send or receive money for Paypal customers in Turkey. Furthermore, existing payment funds will have to be paid back to Turkish bank accounts. This does not bode well for Paypal, other global payments systems or the cross-border processing of payments in Turkey and Europe overall.

Why is this? It seems that the BDDK (www.bddk.org.tr), i.e. the Turkish Banking Regulation and Supervision Agency introduced a law (June 2013) that required Paypal and others to base their IT systems in Turkey.

We all recognise the need and support for individual markets to protect themselves with appropriate controls, particularly in processing ‘sensitive data’, but requiring all operators to process and retain all data ‘locally’ in Turkey, seems overly reactive and more of a deliberate way of preventing international players from operating in the Turkish market. This will force ‘new’ international entrants to the market to take a more local presence in Turkey – both for governance and for where the IT systems are based. And what about other existing non-compliant entities?

It appears that Paypal have been very gallant and relatively quiet publicly about this situation in commentary since the decision; so it begs more questions:

a) With Turkey’s ambitions to join the EU (negotiations started in 2005), is this really going to help in the spirit of economic collaboration and delivering global commerce?

b) Turkish authorities have enough bigger challenges – so can they really want this to further hinder their campaign?

c) Who else will this impact? Will other and existing companies that are not complying with the same requirements be required to leave the country if they do not meet the requirements that IT systems be located in Turkey?

d) Did no one at Paypal see this coming?

e) Has no-one in the European monolith raised this as an issue with Turkish authorities and explained to them how far away from the spirit and intent of the EU marketplace this really is?

Author Kevin Smith is a senior payment services & risk management consultant who provide his consultancy services to card issuers, banks, corporates and business organizations all over the globe. He is director of RiskSkill, UKFraud and a permanent member of AIRFA.

The UK Treasury has confirmed its plan to roll out a new £1 coin from late March 2017, which the Treasury claims is the most resistant to counterfeiting ever produced. Well it needs to be, we all know how insecure the current £1 coin is and the ease of counterfeiting.

Like most risk and fraud measures, we aim to stay one step ahead of the bad guys, but with UK Government’s approach to the addressing the weaknesses of our coins and notes, we are a little late, in fact very late.

The new 12-sided £1 coin, closely follows the recently introduced and controversial new £5 note, has a number of new security features. This includes a hologram that apparently changes from a ‘1’ to a ‘£’ when viewed from different angles. Funny, Visa and MasterCard thought holograms on cards were a good idea until it became apparent how easy it was to counterfeit the hologram on an industrial scale.

I do note however, that the new £1 coin possesses other security features built into the coin to protect it from counterfeiting. It needs to be as it will be immediately tested by the criminals. If we are going to continue to prolong and in fact promote and extend the life of the £1 coin then it will need super protection.

The UK Treasury believes that one in every 30 £1 coins in circulation today is counterfeit. Funny, I remember reading a few years ago that the Royal Mint and/or the organisation tasked with assessing this ratio, determined that it was closer to one in 20, so closer to 5% of £1 coins in our pocket or piggy bank.

I get it, we have to protect the poor old £1 coin with a new super secure version if we are going to prolong its existence. But along with changes to other bank notes, this is being performed at a time where there is continued rhetoric in moving towards the cashless society and significant momentum in displacing coins and notes with electronic payment methods.

Contactless payments, after a very slow and disjointed start are now increasing in awareness, popularity and usage, whether card or mobile-based, traditional payment brand or new and emerging payment solution.

The cost of deploying the infrastructure to support electronic payments and displace lower value payments has taken a long time and still progressing, at great expense and through an evolution, no, revolution, in electronic payments. The financial services industry, along with the merchant, retailer and vendor communities have effectively collaborated to deploy electronic payment solutions. This may not have always been in a spirit of harmony, but the benefits to all were there to be realised. But are we doing enough to collectively realise the benefits?

So once again, have the powers at be really thought through the impact on coin usage and acceptance by consumers, coin savers, retailers and their PoS equipment, especially unattended devices like self-service checkouts, car parking, vending, etc. Device upgrades and/or replacements will be necessary at great expense. Training, education for all, especially training and educating the consumers, which will probably be left to the retail community.

Does this present the opportunity for some radical change of thinking in how to accelerate cash and coin displacement. Why upgrade equipment, just force consumers to pay electronically or make them follow a different payment process if they really wish to pay with coins. I already see retail staff steering consumers to contactless payment, where both the terminal and card are enabled. Why not promote this approach?

Not only should we be making usage of coins and notes less attractive, but we must ensure that the use of electronic payments is seen to be and is in reality – a superior consumer and retailer experience. Speed, convenience, security, reliability and yes price, are all critical in ensuring that the card, phone or other electronic payment experience is preferred.

So where is the collective focus on trying harder to displace cash transactions rather than just spending lots of money redesigning new coins and notes, which will confuse, add significant implementation and ongoing costs and operational headaches?

Where is the demonstration that UK Government, financial institutions, payments schemes, retailer community, solution providers and other stakeholders are truly collaborating to ensure that cashless payments is not just a dream?

Author Kevin Smith is an senior payment services & risk management consultant who provide his consultancy services to card issuers, banks, corporates and business organizations all over the globe. He is director of RiskSkill, UKFraud and a permanent member of AIRFA.

Welcome to our blog, this is my first blog post. I would like to share my knowledge and experiences regarding risk management, payment services, fraud management, due diligence, and risk review strategies and news.

Search

Search for:

About Kevin Smith

Kevin Smith is and United Kingdom based senior & independent payment services consultant, due diligence specialist, fraud management expert, risk management specialist who provides his services to card issuers, banks, corporates, industries and business organizations worldwide. He is chief executive of PayTech Consulting, BeCyberSure, RiskSkill, UKFraud and a member of AIRFA.